Remove tinycrypt

.github/workflows/sim.yaml

@@ -16,25 +16,23 @@ jobs:
     strategy:
       matrix:
         features:
-        - "sig-ecdsa,sig-ecdsa-mbedtls,sig-ed25519,enc-kw,bootstrap"
+        - "sig-ecdsa-mbedtls,sig-ed25519,enc-kw,bootstrap"
         - "sig-rsa,sig-rsa3072,overwrite-only,validate-primary-slot,swap-move,swap-offset"
         - "enc-rsa,enc-rsa max-align-32"
         - "enc-aes256-rsa,enc-aes256-rsa max-align-32"
-        - "enc-ec256,enc-ec256 max-align-32"
+        - "enc-ec256-mbedtls,enc-ec256-mbedtls max-align-32"
         - "enc-aes256-ec256,enc-aes256-ec256 max-align-32"
         - "enc-x25519,enc-x25519 max-align-32"
         - "enc-aes256-x25519,enc-aes256-x25519 max-align-32"
-        - "sig-rsa overwrite-only,sig-ecdsa overwrite-only,sig-ecdsa-mbedtls overwrite-only,multiimage overwrite-only"
-        - "sig-rsa validate-primary-slot,sig-ecdsa validate-primary-slot,sig-ecdsa-mbedtls validate-primary-slot,sig-rsa multiimage validate-primary-slot"
+        - "sig-rsa overwrite-only,sig-ecdsa-mbedtls overwrite-only,multiimage overwrite-only"
+        - "sig-rsa validate-primary-slot,sig-ecdsa-mbedtls validate-primary-slot,sig-rsa multiimage validate-primary-slot"
         - "enc-kw overwrite-only,enc-kw overwrite-only max-align-32"
         - "enc-rsa overwrite-only,enc-rsa overwrite-only max-align-32"
         - "enc-aes256-kw overwrite-only,enc-aes256-kw overwrite-only max-align-32"
         - "sig-rsa enc-rsa validate-primary-slot,swap-move enc-rsa sig-rsa validate-primary-slot bootstrap,swap-offset enc-rsa sig-rsa validate-primary-slot bootstrap"
         - "sig-rsa enc-kw validate-primary-slot bootstrap,sig-ed25519 enc-x25519 validate-primary-slot"
-        - "sig-ecdsa enc-kw validate-primary-slot"
         - "sig-ecdsa-mbedtls enc-kw validate-primary-slot"
         - "sig-rsa validate-primary-slot overwrite-only,sig-rsa validate-primary-slot overwrite-only max-align-32"
-        - "sig-ecdsa enc-ec256 validate-primary-slot"
         - "sig-ecdsa-mbedtls enc-ec256-mbedtls validate-primary-slot"
         - "sig-ecdsa-mbedtls enc-aes256-ec256 validate-primary-slot"
         - "sig-rsa validate-primary-slot overwrite-only downgrade-prevention"
@@ -43,7 +41,7 @@ jobs:
         - "sig-rsa validate-primary-slot direct-xip"
         - "sig-rsa validate-primary-slot ram-load multiimage"
         - "sig-rsa validate-primary-slot direct-xip multiimage"
-        - "sig-ecdsa hw-rollback-protection multiimage"
+        - "sig-ecdsa-mbedtls hw-rollback-protection multiimage"
         - "sig-ecdsa-psa,sig-ecdsa-psa sig-p384"
         - "ram-load enc-aes256-kw multiimage"
         - "ram-load enc-aes256-kw sig-ecdsa-mbedtls multiimage"

boot/bootutil/include/bootutil/crypto/ecdh_p256.h

@@ -23,51 +23,10 @@
     #define EC256_PUBK_LEN (65)
 #endif /* MCUBOOT_USE_MBED_TLS */
 
-#if defined(MCUBOOT_USE_TINYCRYPT)
-    #include <tinycrypt/ecc_dh.h>
-    #include <tinycrypt/constants.h>
-    #define BOOTUTIL_CRYPTO_ECDH_P256_HASH_SIZE (4 * 8)
-#endif /* MCUBOOT_USE_TINYCRYPT */
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-#if defined(MCUBOOT_USE_TINYCRYPT)
-typedef uintptr_t bootutil_ecdh_p256_context;
-typedef bootutil_ecdh_p256_context bootutil_key_exchange_ctx;
-static inline void bootutil_ecdh_p256_init(bootutil_ecdh_p256_context *ctx)
-{
-    (void)ctx;
-}
-
-static inline void bootutil_ecdh_p256_drop(bootutil_ecdh_p256_context *ctx)
-{
-    (void)ctx;
-}
-
-static inline int bootutil_ecdh_p256_shared_secret(bootutil_ecdh_p256_context *ctx, const uint8_t *pk, const uint8_t *sk, uint8_t *z)
-{
-    int rc;
-    (void)ctx;
-
-    if (pk[0] != 0x04) {
-        return -1;
-    }
-
-    rc = uECC_valid_public_key(&pk[1], uECC_secp256r1());
-    if (rc != 0) {
-        return -1;
-    }
-
-    rc = uECC_shared_secret(&pk[1], sk, z, uECC_secp256r1());
-    if (rc != TC_CRYPTO_SUCCESS) {
-        return -1;
-    }
-    return 0;
-}
-#endif /* MCUBOOT_USE_TINYCRYPT */
-
 #if defined(MCUBOOT_USE_MBED_TLS)
 #define NUM_ECC_BYTES 32
 

boot/bootutil/include/bootutil/crypto/ecdsa.h

@@ -8,7 +8,7 @@
  * This module provides a thin abstraction over some of the crypto
  * primitives to make it easier to swap out the used crypto library.
  *
- * At this point, the choices are: MCUBOOT_USE_TINYCRYPT, MCUBOOT_USE_CC310,
+ * At this point, the choices are: MCUBOOT_USE_CC310,
  * MCUBOOT_USE_MBED_TLS, MCUBOOT_USE_PSA_CRYPTO. Note that support for
  * MCUBOOT_USE_PSA_CRYPTO is still experimental and it might not support all
  * the crypto abstractions that MCUBOOT_USE_MBED_TLS supports. For this
@@ -32,17 +32,11 @@
     #error "P384 requires PSA_CRYPTO to be defined"
 #endif
 
-#if (defined(MCUBOOT_USE_TINYCRYPT) + \
-     defined(MCUBOOT_USE_CC310) + \
+#if defined(MCUBOOT_USE_CC310) + \
      defined(MCUBOOT_USE_PSA_OR_MBED_TLS)) != 1
-    #error "One crypto backend must be defined: either CC310/TINYCRYPT/MBED_TLS/PSA_CRYPTO"
+    #error "One crypto backend must be defined: either CC310/MBED_TLS/PSA_CRYPTO"
 #endif
 
-#if defined(MCUBOOT_USE_TINYCRYPT)
-    #include <tinycrypt/ecc_dsa.h>
-    #include <tinycrypt/constants.h>
-#endif /* MCUBOOT_USE_TINYCRYPT */
-
 #if defined(MCUBOOT_USE_CC310)
     #include <cc310_glue.h>
 #endif /* MCUBOOT_USE_CC310 */
@@ -76,7 +70,7 @@
 extern "C" {
 #endif
 
-#if (defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || \
+#if (defined(MCUBOOT_USE_MBED_TLS) || \
      defined(MCUBOOT_USE_CC310)) && !defined(MCUBOOT_USE_PSA_CRYPTO)
 /*
  * Declaring these like this adds NULL termination.
@@ -127,109 +121,7 @@ static int bootutil_import_key(uint8_t **cp, uint8_t *end)
 
     return 0;
 }
-#endif /* (MCUBOOT_USE_TINYCRYPT || MCUBOOT_USE_MBED_TLS || MCUBOOT_USE_CC310) && !MCUBOOT_USE_PSA_CRYPTO */
-
-#if defined(MCUBOOT_USE_TINYCRYPT)
-#ifndef MCUBOOT_ECDSA_NEED_ASN1_SIG
-/*
- * cp points to ASN1 string containing an integer.
- * Verify the tag, and that the length is 32 bytes. Helper function.
- */
-static int bootutil_read_bigint(uint8_t i[NUM_ECC_BYTES], uint8_t **cp, uint8_t *end)
-{
-    size_t len;
-
-    if (mbedtls_asn1_get_tag(cp, end, &len, MBEDTLS_ASN1_INTEGER)) {
-        return -3;
-    }
-
-    if (len >= NUM_ECC_BYTES) {
-        memcpy(i, *cp + len - NUM_ECC_BYTES, NUM_ECC_BYTES);
-    } else {
-        memset(i, 0, NUM_ECC_BYTES - len);
-        memcpy(i + NUM_ECC_BYTES - len, *cp, len);
-    }
-    *cp += len;
-    return 0;
-}
-
-/*
- * Read in signature. Signature has r and s encoded as integers. Helper function.
- */
-static int bootutil_decode_sig(uint8_t signature[NUM_ECC_BYTES * 2], uint8_t *cp, uint8_t *end)
-{
-    int rc;
-    size_t len;
-
-    rc = mbedtls_asn1_get_tag(&cp, end, &len,
-                              MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
-    if (rc) {
-        return -1;
-    }
-    if (cp + len > end) {
-        return -2;
-    }
-
-    rc = bootutil_read_bigint(signature, &cp, end);
-    if (rc) {
-        return -3;
-    }
-    rc = bootutil_read_bigint(signature + NUM_ECC_BYTES, &cp, end);
-    if (rc) {
-        return -4;
-    }
-    return 0;
-}
-#endif /* not MCUBOOT_ECDSA_NEED_ASN1_SIG */
-
-typedef uintptr_t bootutil_ecdsa_context;
-static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx)
-{
-    (void)ctx;
-}
-
-static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx)
-{
-    (void)ctx;
-}
-
-static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
-                                        uint8_t *pk, size_t pk_len,
-                                        uint8_t *hash, size_t hash_len,
-                                        uint8_t *sig, size_t sig_len)
-{
-    int rc;
-    (void)ctx;
-    (void)pk_len;
-    (void)sig_len;
-    (void)hash_len;
-
-    uint8_t signature[2 * NUM_ECC_BYTES];
-    rc = bootutil_decode_sig(signature, sig, sig + sig_len);
-    if (rc) {
-        return -1;
-    }
-
-    /* Only support uncompressed keys. */
-    if (pk[0] != 0x04) {
-        return -1;
-    }
-    pk++;
-
-    rc = uECC_verify(pk, hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE, signature, uECC_secp256r1());
-    if (rc != TC_CRYPTO_SUCCESS) {
-        return -1;
-    }
-    return 0;
-}
-
-static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
-                                                  uint8_t **cp,uint8_t *end)
-{
-    (void)ctx;
-    return bootutil_import_key(cp, end);
-}
-#endif /* MCUBOOT_USE_TINYCRYPT */
+#endif /* (MCUBOOT_USE_MBED_TLS || MCUBOOT_USE_CC310) && !MCUBOOT_USE_PSA_CRYPTO */
 
 #if defined(MCUBOOT_USE_CC310)
 typedef uintptr_t bootutil_ecdsa_context;

sim/Cargo.toml

@@ -9,7 +9,6 @@ default = []
 
 sig-rsa = ["mcuboot-sys/sig-rsa"]
 sig-rsa3072 = ["mcuboot-sys/sig-rsa3072"]
-sig-ecdsa = ["mcuboot-sys/sig-ecdsa"]
 sig-ecdsa-mbedtls = ["mcuboot-sys/sig-ecdsa-mbedtls"]
 sig-ecdsa-psa = ["mcuboot-sys/sig-ecdsa-psa", "mcuboot-sys/psa-crypto-api"]
 sig-p384 = ["mcuboot-sys/sig-p384"]
@@ -22,7 +21,6 @@ enc-rsa = ["mcuboot-sys/enc-rsa"]
 enc-aes256-rsa = ["mcuboot-sys/enc-aes256-rsa"]
 enc-kw = ["mcuboot-sys/enc-kw"]
 enc-aes256-kw = ["mcuboot-sys/enc-aes256-kw"]
-enc-ec256 = ["mcuboot-sys/enc-ec256"]
 enc-ec256-mbedtls = ["mcuboot-sys/enc-ec256-mbedtls"]
 enc-aes256-ec256 = ["mcuboot-sys/enc-aes256-ec256"]
 enc-x25519 = ["mcuboot-sys/enc-x25519"]

sim/mcuboot-sys/Cargo.toml

@@ -18,9 +18,6 @@ sig-rsa = []
 # Verify RSA-3072 signatures.
 sig-rsa3072 = []
 
-# Verify ECDSA (secp256r1) signatures.
-sig-ecdsa = []
-
 # Verify ECDSA (secp256r1) signatures using mbed TLS
 sig-ecdsa-mbedtls = []
 
@@ -57,9 +54,6 @@ enc-kw = []
 # Encrypt image in the secondary slot using AES-256-CTR and AES-KW-256
 enc-aes256-kw = []
 
-# Encrypt image in the secondary slot using ECIES-P256
-enc-ec256 = []
-
 # Encrypt image in the secondary slot using AES-256-CTR and ECIES-P256
 enc-aes256-ec256 = []